Securing customer information requires a multi-layered approach.
By Anne Baye Ericksen, Contributing Editor
News stories about hacking incidents dominated the headlines last year, starting in January with a security breach at the giant U.S. retailer Target that potentially risked the personal data of an estimated 70 million consumers. The calendar year concluded with Staples’ announcement that infiltration of their data bank resulted in 1.6 million stolen credit card numbers.
While the size of these occurrences garnered national attention, thousands of attacks at businesses of various sizes and scope took place throughout the year, raising an alarming trend.
According to a report produced by risk management firm Risk Based Security, more than 2,160 data thefts occurred in 2013. Although this was a decrease from the record high of 3,140 incidents recorded in 2012, the number of records exposed, including credit and debit card account information, more than tripled, from to 823 million from 264 million during that period.
Of course with such events come huge economic losses. The Center for Strategic and International Studies estimated that cybercrime cost more than $445 billion worldwide in 2013. Within this mix, convenience stores are just as vulnerable, especially given the heavy customer use of debit cards and credit cards in daily transactions.
“The inexorable march of consumers to digital lives has heightened the opportunity for theft,” said Gray Taylor, executive director for Alexandria, Va.-based Conexxus, formerly the Petroleum Convenience Alliance for Technology Standards. “[This is a] perfect storm of opportunity for thieves of all types to ‘pick our pockets’ from afar.”
As a result, the c-store industry is working to better protect the information of its customers. Just ask Tom Withem, information resources manager for E-Z Mart, based in Texarkana, Texas. “A breach occurring elsewhere, even outside of our industry, certainly gets our attention, both to understand what happened and to rethink whether we are doing what we can to prevent a similar incident,” he said.
REVIEWING THE RISKS
Protecting customer information has become a top priority for retailers, including c-stores, which are investing more in progressive tools to combat cybercrime.
“The challenges involved in maintaining an adequate level of security have constantly increased as has the complexity of meeting those challenges,” Withem said.
While data breaches within the c-store industry haven’t earned national headlines, they have occurred.
“Our breaches tend to be fairly small—a few hundred cards compromised through skimmers—and therefore, don’t get beyond the local news,” Taylor said. “I’m not aware of any network-based breaches of our stores.”
Still, the threat landscape for c-stores is expected to grow, especially as new payment methods are introduced. To keep pace with evolving technology and ahead of hackers, experts recommend adopting a proactive, multi-layered approach to securing customer data.
This month marks the deadline for which businesses accepting credit card transactions should be compliant with the newest Payment Card Industry (PCI) Data Security Standards. One of the factors distinguishing the 3.0 version from previous programs is that there’s less focus on perimeter firewalls to guard servers, which are proving less effective as new payment methods are engaged. Rather, greater attention is being given to locking up the data, including information stored on clouds. This strategy places a heavy emphasis on password protection.
“According to some of the data I’ve read, the password ‘123456’ is the No. 1 password, which is disturbing,” said Stephen Orfei, general manager for the PCI Security Standards Council, based in Wakefield, Mass. “Look at the passwords we have in place and ensure they’re not default passwords. Let’s strengthen them in length and upper- and lowercase [letters] and special characters.”
Experts suggest changing passwords often, such as every 90 days.
Another element stressed in PCI 3.0 is exercising more control over who has access to the data, which includes both employees and third-party vendors. “Who really needs access to this information? Not everyone does and not everyone should,” Orfei said.
PCI 3.0 controls require point-of-sale (POS) training and education for staff who have direct involvement in the payment chain. In terms of outside parties, experts recommend practicing extra due diligence. For example, the We Care guidelines produced by Conexxus and the National Association of Convenience Stores (NACS) advise managers to train staff to ask for
vendors’ or technicians’ identification and confirm scheduled service appointments before granting access to POS terminals or dispensers.
Keeping current with ever-evolving technology can be challenging and costly when it involves replacing POS terminals or other systems. However, security specialists stress that updating hardware and software is a key defensive tool.
One example of a hardware upgrade is the EMV (EuroPay, MasterCard and Visa) chip. Instead of one permanent card number like the current credit/debit system, it generates a new number after each purchase when used at a POS terminal specifically programmed to read it.
“The end game, if you will, is to devalue the data so that it is useless in the hands of organized crime, criminals and state-funded actors. [EMV] will defeat fraud at the point of sale,” Orfei said. “We know that it will deliver on its promise [because of its] experience in both the Asian/Pacific and European theaters. Their POS, unlike here in the U.S., is not under attack.”
That said, the c-store industry remains mixed on its value. Merchants must convert to EMV terminals by October 2015, when liability will shift to acquirers for domestic and cross-border counterfeit fraud card-present POS transactions if the merchant does not have an EMV-enabled POS device. However, EMV cards continue to be accepted at current POS terminals as traditional credit/debit cards without creating a new number.
“Our industry will need to invest $3.5 billion to upgrade our stores to EMV, and we don’t even have a final specification yet,” Taylor said. “I am not sure the financial risk associated with not being EMV-compliant is all that great either.”
Regularly updating software, though, does not require large investments. “I would urge merchants to pay particular attention to the fundamentals, [such as] using the latest antivirus and keeping patches up to date,” Orfei said.
“Software and malware updates are important and implemented on a weekly basis across the company,” echoed Withem. E-Z Mart operates 289 company-owned stores. “It would be reckless to not at least do that.”
Also, as more and more consumers embrace mobile pay methods, the demand for more comprehensive security practices will continue to grow.
“Data security is about constant vigilance,” concluded Taylor.